SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Penetration Testing: Environment Selection Guide Blog Feature
Austin Bentley

By: Austin Bentley

Print/Save as PDF

Penetration Testing: Environment Selection Guide

Penetration Testing

 You’ve got a system that needs to be tested, but you’re not really certain about which environment the testing should occur in. Or, maybe you’re feeling uneasy about testing within production. Many have been in your exact same shoes in the past -- below, we’ll help assist you in making this important decision. 

Common IT Environments 

First, let’s discuss common environments. Most organizations have two or more of the following environments: 

  • Production – where core business functions occur 
  • Preprod /Staging – a mirror of production used to facilitate eventual deployment to production 
  • Test/QA – used by developers, IT and/or QA to test new deployments 
  • Dev – used by developers to rapidly test development changes 

 While production takes the crown as “most important,” each of these environments plays a critical role in your IT department. Most organizations don’t readily deploy to production without a rigorous QA testing process – untested changes could result in downtime, data loss or other or other security concerns. 

Testing Changes vs Periodic Testing 

Before we begin the debate, we should discuss the two most common forms of penetration testing: 

  • Continuous Penetration Testing – when a significant change is made to a system, the changes made, and only the changes, are pen tested. 
  • Scheduled Penetration Testing – periodic testing which is comprehensive of the entire system. 

Organizations that implement Continuous Penetration Testing do so to avoid introducing security risks into their production environment. Therefore, it makes sense that this testing should happen in a non-production environment. With that being said, system owners should do their best to ensure that the representative environment mirrors production as much as reasonably possible – more on that later. 

Scheduled Penetration Testing is comprehensive of the entire system, and not just recent changes. While this does result in a significant increase in effort, there are two major benefits. First, new risks can be discovered: new vulnerabilities or attack methods may be discovered since the last test. Second, these comprehensive tests are commonly required per compliance (PCI, FedRAMP.) 

Regardless of which cadence you choose for testing, one question still remains: where should your organization conduct these tests? There’s much more nuance to this question, and the answer you’ll arrive at ultimately depends on the reason you’re aiming for the penetration test.

Arguments for Non-Production Pen Testing 

Lack of Requirements 

Testing in a non-production environment may meet your requirements. For example, if you’re conducting a Scheduled Web Application Penetration Test against your product to suffice a client’s request, there may be no requirement for the environment in which the test is conducted. Provided that’s true, it’s not unreasonable to perform testing in a non-production environment.

Production Downtime 

All organizations treat production as the organization’s crown jewels, and rightly so. Many organizations have tales of the pen test gone awry, wherein a critical business function went offline. The most common mitigation to avoid production outages is largely to test outside of the production environment.  

Data Sensitivity 

Production contains real data – likely customer data. Any unauthorized disclosure of this data poses a real risk to your organization.

Arguments for Production Penetration Testing 

Mandatory Requirements 

Point blank – testing within production may be a requirement. This typically comes from three different forces: 

  • Compliance – many compliance frameworks, such as PCI or FedRAMP, require pen tests to be conducted in production. 
    • PCI, this may be alleviated by your QSA performing a check to ensure that the non-prod and prod environments are sufficiently matched. 
    • FedRAMP, testing in a non-production environment can be marked as a finding on the Risk Exposure Table (RET). Your agency will determine whether or not this risk is acceptable. 
  • Internal – some organizations may have security policies which dictate that testing should occur within a production environment. 
  • External – your customers may have procurement policies which dictate that testing should occur within a production environment.

Production and Non-Production Mismatch 

Depending on your system’s architecture, it may be difficult to ensure that production and non-production environments are matched when it comes to security. Production environments are generally more secure. However, as we’ll see below, there are multiple scenarios in which a production environment can have a vulnerability which is not present within the non-production environment. 

Scenario 1: Configuration Differences 

Inherently, production systems will utilize different configurations from their non-production counterparts. For example, production systems shouldn’t communicate with non-production databases. There may also be certain production-specific configurations, such as security policies or features flags. These production-specific configurations cannot be tested if testing occurs in a non-production environment.

Scenario 2: Broken or Mock Functionality 

Some production systems, such as those that rely on a costly third-party API, may be broken in a non-production environment. In some cases, these third-party APIs are mocked if the API provider does not offer an inexpensive non-production API. Production-specific functionality cannot be tested if testing occurs in a non-production environment. 

Scenario 3: Non-existent Systems 

Entire systems may not exist within the non-production environment. Here are a handful of common network devices that aren’t usually present in non-production: 

  • Expensive appliances 
  • Storage arrays 
  • Security cameras and access control systems 
  • IoT devices 
  • Printers, wireless access points, workstations, and laptops 

Given the impracticality of these devices to have a representative device in a non-production environment, these devices cannot normally be tested in a non-production environment. 

Still Uneasy About Testing in Production? 

If you’re stuck in a hard place where you really don’t want to perform production pen testing, but it is still considered a requirement, there are a few mitigating strategies we recommend. 

Availability concerns can mostly be eliminated via proper communication and planning: 

  • Require testing to be conducted outside of an SLA

  • Ensure that all teams which may be affected by the penetration test have backups of servers and databases

  • Consider announcing the penetration test internally -- such as via change control procedures – to ensure that teams are notified

  • Ensure that your pen test provider is aware that: 
    • All testing should immediately cease should a production host appear offline

    • Denial of Service (DoS) testing is considered out-of-scope

    • Any testing which should impede any system or network should only be conducted with specific prior approval

    • Operations which may result in excessive database entries should be earmarked with a searchable phrase such as “Pen Test Provider, LLC” within fields

    • Scans should be tailored in-nature with reasonable time delays and threads
  • Require testing to be conducted outside of an SLA. 

Data disclosure concerns can be mitigated by: 

  • Ensuring that your pen test provider is vetted by other organizations and/or your procurement department
  • Ensuring that your pen test provider is under a non-disclosure agreement (NDA)
  • Ensuring your pen test provider is aware that: 
    • Intentional access of customer information is entirely out-of-scope, unless it is absolutely unavoidable in proving the existence of a vulnerability
    • Should any inadvertent access of customer information occur, the pen test provider should notify your organization and sanitize obtained records
    • In some cases, specifically web applications, intentional access of customer information may be avoided by attempting to access “dummy data” specifically created for the pen test

Interested in More? 

The Penetration Testing section on our Learning Center contains a wealth of other articles discussing the nuances of penetration testing from both sides of the table. Additionally, our large penetration testing team is ready to take on your pen test needs – anything from traditional external testing, all the way to hardware and physical testing. If you’re interested in having our experts examine your systems, fill out a scoping questionnaire and we’ll reach out! 

About Austin Bentley

Austin Bentley is a Manager with Schellman, based in Kansas City, Missouri. Prior to joining Schellman, Austin worked as a Penetration Tester for a large financial institution, specializing in Application Security and Internal Pentesting. Austin also led and supported various other projects, including security automation and code review.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.